Google Distributed Cloud version 1.14 runs on Kubernetes 1.25. Kubernetes 1.25 has deleted certain APIs. You can see a list of these deleted APIs in Kubernetes 1.25 deleted APIs .
Determine if the API deletion affects you
In version 1.13, of Google Distributed Cloud, all clusters have cluster audit logging enabled and audit logs are streamed to Google Cloud Observability .
To determine if the Kubernetes Service Accounts you use make calls to any deleted APIs, run the supplied query in Logs Explorer :
-
In the Google Cloud console, go to the Logs Explorerpage in the Loggingmenu.
-
In the Queryfield, enter the following query:
resource.labels.cluster_name = " CLUSTER_NAME " AND logName = "projects/ PROJECT_ID /logs/externalaudit.googleapis.com%2Factivity" AND protoPayload.authenticationInfo.principalEmail: ( "system:serviceaccount" OR "@" ) AND protoPayload.authenticationInfo.principalEmail!~ ( "system:serviceaccount:kube-system:" ) AND protoPayload.authenticationInfo.principalEmail!~ ( "system:serviceaccount:cert-manager:" ) AND protoPayload.authenticationInfo.principalEmail!~ ( "system:serviceaccount:capi-kubeadm-bootstrap-system:" ) AND protoPayload.authenticationInfo.principalEmail!~ ( "system:serviceaccount:capi-kubeadm-bootstrap-system-webhook:" ) AND protoPayload.authenticationInfo.principalEmail!~ ( "system:serviceaccount:capi-system:" ) AND protoPayload.authenticationInfo.principalEmail!~ ( "system:serviceaccount:capi-system-webhook:" ) AND labels. "k8s.io/removed-release" = "1.25"The output from this query shows if any of your Kubernetes Service Accounts make deleted API calls.
